Welcome to my information security blog. I hope the information I publish and comments I provide can offer some insight, for better or worse, into current industry trends, technologies, and innovations.
One of the purposes for this blog is to encourage creative and constructive dialogue, so feel free to comment. If you do, please provide your name.
If you have any feedback or would like to contact me offline, don't hesitate to email me: mike[@]cloppert[.]org

2010-10-01

Why there shouldn't be a dot-secure

A few days ago, Cyberwar Chief Gen. Alexander proposed building a separate, secure network for the nation's critical infrastructure. By now, this has been widely derided by many security specialists, but I wanted to throw my hat in the ring with a few comments.

Separation is an effective control in theory. One chronic problem our industry suffers is "ivory tower" syndrome, with decisions divorced from reality. This is an example.

SIPRnet is an example of where separation has effectively mitigated risk. The DoD's network is largely isolated, and as a result, has mitigated risk that internet-connected networks experience. Notice how I said "mitigated," not "prevented." Security is about risk management, not risk elimination.

The problem with separation comes in the form of exceptions and enforcement. The more exceptions, and and less enforcement, the less effective the separation, and the less risk mitigation. The diminishing role of firewalls as an effective security device is a stark example of this.

Think of this in terms of "meatspace": the Great Wall of China, the Berlin wall, the Maginot line - all were colossal failures for their stated goals. Additionally, the massive investment of resources for construction and maintenance detracted from other more effective strategies, amplifying their detrimental impact. Yet island nations such as Britain, which has had a complete water barrier, has enjoyed the security benefits of this isolation throughout its history.

The general's proposal is a fool's errand. I would say the same about an isolation regime only for the defense industrial base and the DoD, given the interconnectedness and overlap of those networks. What he proposes is a geometrically larger problem, with corresponding increases in the need for exception and difficulty of enforcement. The exceptional cost of such an approach could not possibly justify the resultant risk mitigation IMO. That amount of money would go much further in mitigating risk by investing in broadly-adopted and linked authentication mechanisms, secure DNS, counterintelligence, and cross-industry threat focused network defense.

No comments:

About Me

I have been employed in various information technology fields since 1997, and in information security since 2001. I have an undergrad degree in Computer Engineering from the University of Dayton, received various industry certifications (GCIA, GREM, GCFA, etc.), and am currently pursuing a MS in Computer Science from George Washington University. I have lectured on various information security topics to IEEE, internal organization-wide IT conferences, and the annual Department of Defense Cybercrime Convention. My international work experience consists of training on general information security topics and IDS design/implementation onsite in Egypt, Israel, and India, as well as providing incident response assistance in the Far East. I have been a contributing editor to incident response procedures for two major organizations, and have been involved in digital forensic investigations since 2001. Currently, my work consists of security-related research and development, covering topics from vulnerability and exploit reverse engineering to implementation of security technologies, as well as digital forensics for an enterprise Computer Incident Response Team.